2018-04-16 jrat/adwind config

1. Sample by @Con__Galleta: https://app.any.run/tasks/e072e8d0-2752-4a84-bbaf-76b0ecd66db3
2. {
3. "NETWORK": [{
4. "PORT": 7777,
5. "DNS": "127.0.0.1"
6. }, {
7. "PORT": 7690,
8. "DNS": "wildlifer.duckdns.org"
9. }
10. ],
11. "INSTALL": true,
12. "MODULE_PATH": "x/o/BkF.X",
13. "PLUGIN_FOLDER": "KNMWqHbpCvg",
14. "JRE_FOLDER": "YdxNEC",
15. "JAR_FOLDER": "quuaFXLGKpd",
16. "JAR_EXTENSION": "DujNJn",
17. "ENCRYPT_KEY": "xSpLwkvtGiUJLUMdQPlZcUhNg",
18. "DELAY_INSTALL": 2,
19. "NICKNAME": "User",
20. "VMWARE": false,
21. "PLUGIN_EXTENSION": "QFElJ",
22. "WEBSITE_PROJECT": "https://jrat.io",
23. "JAR_NAME": "IDZTgqPguYD",
24. "SECURITY": [{
25. "REG": [{
26. "VALUE": "\"SaveZoneInformation\"=dword:00000001\r\n",
27. "KEY": "[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments]"
28. }, {
29. "VALUE": "\"LowRiskFileTypes\"=\".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;\"\r\n",
30. "KEY": "[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Associations]"
31. }, {
32. "VALUE": "\"SaveZoneInformation\"=-\r\n",
33. "KEY": "[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments]"
34. }, {
35. "VALUE": "\"LowRiskFileTypes\"=-\r\n",
36. "KEY": "[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Associations]"
37. }
38. ],
39. "NAME": "Open-File Security Warning"
40. }, {
41. "REG": [{
42. "VALUE": "\"SEE_MASK_NOZONECHECKS\"=\"1\"\r\n",
43. "KEY": "[HKEY_CURRENT_USER\\Environment]"
44. }, {
45. "VALUE": "\"SEE_MASK_NOZONECHECKS\"=\"1\"\r\n",
46. "KEY": "[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment]"
47. }
48. ],
49. "NAME": "Disable Zone Checking"
50. }, {
51. "REG": [{
52. "VALUE": "\"ConsentPromptBehaviorAdmin\"=dword:00000000\r\n\"ConsentPromptBehaviorUser\"=dword:00000000\r\n\"EnableLUA\"=dword:00000000\r\n\"PromptOnSecureDesktop\"=dword:00000000\r\n",
53. "KEY": "[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System]"
54. }
55. ],
56. "PROCESS": ["UserAccountControlSettings.exe"],
57. "NAME": "User Account Control"
58. }, {
59. "REG": [{
60. "VALUE": "\"DisableConfig\"=dword:00000001\r\n\"DisableSR\"=dword:00000001\r\n",
61. "KEY": "[HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore]"
62. }
63. ],
64. "NAME": "Restore System"
65. }, {
66. "PROCESS": ["ProcessHacker.exe"],
67. "NAME": "Process Hacker"
68. }, {
69. "PROCESS": ["procexp.exe"],
70. "NAME": "MsConfig"
71. }, {
72. "PROCESS": ["MSASCui.exe", "MsMpEng.exe", "MpUXSrv.exe", "MpCmdRun.exe", "NisSrv.exe", "ConfigSecurityPolicy.exe"],
73. "NAME": "Windows Defender"
74. }, {
75. "PROCESS": ["procexp.exe"],
76. "NAME": "Process Explorer"
77. }, {
78. "PROCESS": ["wireshark.exe", "tshark.exe", "text2pcap.exe", "rawshark.exe", "mergecap.exe", "editcap.exe", "dumpcap.exe", "capinfos.exe"],
79. "NAME": "Wireshark"
80. }, {
81. "PROCESS": ["mbam.exe", "mbamscheduler.exe", "mbamservice.exe"],
82. "NAME": "MalwareBytes"
83. }, {
84. "PROCESS": ["AdAwareService.exe", "AdAwareTray.exe", "WebCompanion.exe", "AdAwareDesktop.exe"],
85. "NAME": "Ad-Aware Antivirus"
86. }, {
87. "PROCESS": ["V3Main.exe", "V3Svc.exe", "V3Up.exe", "V3SP.exe", "V3Proxy.exe", "V3Medic.exe"],
88. "NAME": "Ahnlab V3 Internet Security 8.0"
89. }, {
90. "PROCESS": ["BgScan.exe", "BullGuard.exe", "BullGuardBhvScanner.exe", "BullGuarScanner.exe", "LittleHook.exe", "BullGuardUpdate.exe"],
91. "NAME": "Bull Guard Antivirus"
92. }, {
93. "PROCESS": ["clamscan.exe", "ClamTray.exe", "ClamWin.exe"],
94. "NAME": "ClamWin Antivirus"
95. }, {
96. "PROCESS": ["cis.exe", "CisTray.exe", "cmdagent.exe", "cavwp.exe", "dragon_updater.exe"],
97. "NAME": "COMODO Antivirus"
98. }, {
99. "PROCESS": ["MWAGENT.EXE", "MWASER.EXE", "CONSCTLX.EXE", "avpmapp.exe", "econceal.exe", "escanmon.exe", "escanpro.exe", "TRAYSSER.EXE", "TRAYICOS.EXE", "econser.exe", "VIEWTCP.EXE"],
100. "NAME": "EScan Antivirus"
101. }, {
102. "PROCESS": ["FSHDLL64.exe", "fsgk32.exe", "fshoster32.exe", "FSMA32.EXE", "fsorsp.exe", "fssm32.exe", "FSM32.EXE", "trigger.exe"],
103. "NAME": "F-Secure Antivirus"
104. }, {
105. "PROCESS": ["FProtTray.exe", "FPWin.exe", "FPAVServer.exe"],
106. "NAME": "F-PROT Antivirus"
107. }, {
108. "PROCESS": ["AVK.exe", "GdBgInx64.exe", "AVKProxy.exe", "GDScan.exe", "AVKWCtlx64.exe", "AVKService.exe", "AVKTray.exe", "GDKBFltExe32.exe", "GDSC.exe"],
109. "NAME": "G DATA Antivirus"
110. }, {
111. "PROCESS": ["virusutilities.exe", "guardxservice.exe", "guardxkickoff_x64.exe"],
112. "NAME": "IKARUS Antivirus"
113. }, {
114. "PROCESS": ["iptray.exe", "freshclam.exe", "freshclamwrap.exe"],
115. "NAME": "Immunet Antivirus"
116. }, {
117. "PROCESS": ["K7RTScan.exe", "K7FWSrvc.exe", "K7PSSrvc.exe", "K7EmlPxy.EXE", "K7TSecurity.exe", "K7AVScan.exe", "K7CrvSvc.exe", "K7SysMon.Exe", "K7TSMain.exe", "K7TSMngr.exe"],
118. "NAME": "K7 Ultimate Antivirus"
119. }, {
120. "PROCESS": ["nanosvc.exe", "nanoav.exe"],
121. "NAME": "NANO Antivirus"
122. }, {
123. "PROCESS": ["nnf.exe", "nvcsvc.exe", "nbrowser.exe", "nseupdatesvc.exe", "nfservice.exe", "nwscmon.exe", "njeeves2.exe", "nvcod.exe", "nvoy.exe", "zlhh.exe", "Zlh.exe", "nprosec.exe", "Zanda.exe"],
124. "NAME": "Norman Antivirus"
125. }, {
126. "PROCESS": ["NS.exe"],
127. "NAME": "Norton Internet Security"
128. }, {
129. "PROCESS": ["acs.exe", "op_mon.exe"],
130. "NAME": "Outpost ASecurity Suite Pro"
131. }, {
132. "PROCESS": ["PSANHost.exe", "PSUAMain.exe", "PSUAService.exe", "AgentSvc.exe"],
133. "NAME": "Panda Antivirus"
134. }, {
135. "PROCESS": ["BDSSVC.EXE", "EMLPROXY.EXE", "OPSSVC.EXE", "ONLINENT.EXE", "QUHLPSVC.EXE", "SAPISSVC.EXE", "SCANNER.EXE", "SCANWSCS.EXE", "scproxysrv.exe", "ScSecSvc.exe"],
136. "NAME": "Quick Heal Antivirus"
137. }, {
138. "PROCESS": ["SUPERAntiSpyware.exe", "SASCore64.exe", "SSUpdate64.exe", "SUPERDelete.exe", "SASTask.exe"],
139. "NAME": "SUPER Anti-Spyware"
140. }, {
141. "PROCESS": ["K7RTScan.exe", "K7FWSrvc.exe", "K7PSSrvc.exe", "K7EmlPxy.EXE", "K7TSecurity.exe", "K7AVScan.exe", "K7CrvSvc.exe", "K7SysMon.Exe", "K7TSMain.exe", "K7TSMngr.exe"],
142. "NAME": "K7 Ultimate Antivirus"
143. }, {
144. "PROCESS": ["uiWinMgr.exe", "uiWatchDog.exe", "uiSeAgnt.exe", "PtWatchDog.exe", "PtSvcHost.exe", "PtSessionAgent.exe", "coreFrameworkHost.exe", "coreServiceShell.exe", "uiUpdateTray.exe"],
145. "NAME": "Trend Micro Antivirus+"
146. }, {
147. "PROCESS": ["VIPREUI.exe", "SBAMSvc.exe", "SBAMTray.exe", "SBPIMSvc.exe"],
148. "NAME": "VIPRE Security 2015"
149. }, {
150. "PROCESS": ["bavhm.exe", "BavSvc.exe", "BavTray.exe", "Bav.exe", "BavWebClient.exe", "BavUpdater.exe"],
151. "NAME": "Baidu Antivirus 2015"
152. }, {
153. "PROCESS": ["MCShieldCCC.exe", "MCShieldRTM.exe", "MCShieldDS.exe", "MCS-Uninstall.exe"],
154. "NAME": "MCShield Anti-Malware Tool"
155. }, {
156. "PROCESS": ["SDScan.exe", "SDFSSvc.exe", "SDWelcome.exe", "SDTray.exe"],
157. "NAME": "SPYBOT AntiMalware"
158. }, {
159. "PROCESS": ["UnThreat.exe", "utsvc.exe"],
160. "NAME": "UnThreat Antivirus"
161. }, {
162. "PROCESS": ["FortiClient.exe", "fcappdb.exe", "FCDBlog.exe", "FCHelper64.exe", "fmon.exe", "FortiESNAC.exe", "FortiProxy.exe", "FortiSSLVPNdaemon.exe", "FortiTray.exe", "FortiFW.exe", "FortiClient_Diagnostic_Tool.exe", "av_task.exe"],
163. "NAME": "FortiClient"
164. }, {
165. "PROCESS": ["CertReg.exe", "FilMsg.exe", "FilUp.exe", "filwscc.exe", "filwscc.exe", "psview.exe", "quamgr.exe", "quamgr.exe", "schmgr.exe", "schmgr.exe", "twsscan.exe", "twssrv.exe", "UserReg.exe"],
166. "NAME": "Twister Antivirus"
167. }
168. ],
169. "JAR_REGISTRY": "PHwxvxHFpKM",
170. "DELAY_CONNECT": 2,
171. "SECURITY_TIMES": 20,
172. "VBOX": false
173. }